Who Is Actually Under Attack Right Now? Meta, Apple, and itsme Are Live in the Phishing Feed. Our Infrastructure Board Says a Bigger Wave Is Loading.
- Patrick Duggan
- 3 hours ago
- 4 min read
There is a difference between being exposed and being on fire, and most threat reporting blurs the two into a single scary paragraph. So here is the honest, data-grounded answer to a question we get asked constantly — who is actually under attack right now? — split into the three tiers that are actually true, each with the receipts that put it there. The short version: the live fire is on consumers, the enterprises are exposed but not yet lit, and our infrastructure board says something larger is being built that has not picked its target.
Tier 1: Consumers Are On Fire — Live in Our Feed Today
These are not predictions. These are phishing infrastructures sitting in our IOC index right now, actively impersonating real brands to steal from their users. To be precise about sourcing: these come through our OpenPhish-fed substrate, so the honest framing is "live in our feed," not "we caught them first" — but they are live, and they are running.
Meta and Facebook are the heaviest hit. We are looking at multiple live business-ad-account takeover kits at this moment: infrastructure themed around Meta and Facebook Ads Manager, built to harvest the credentials of people who run paid advertising. This is the campaign class that drains ad budgets and hijacks business pages, and it is running at volume. The tell is in the domain construction — impersonation strings wrapped around "ads-agency," "ads-manager," and "accounts-admin" host names.
Apple is being spoofed with a classic iCloud / Find My lure on a typosquatted domain that swaps letters in "apple" and hangs "find" off the end — the pattern that precedes account lockout and device-ransom scams.
itsme, the Belgian digital-identity app that millions use to log into banks and government services, is being impersonated to steal the identity credential itself — which is worse than a password, because it is the thing that vouches for you everywhere else.
USPS remains the consumer megalodon. The tracking-number scam infrastructure has never stopped; we carry a standing cluster of live USPS-themed phishing domains, and it refreshes faster than takedowns remove it.
The hosting pattern across all of these is what we named as Pattern 49: platform-native abuse on free developer infrastructure — Cloudflare Pages, Vercel — where the phishing page inherits a trusted platform's TLS and reputation for free. That is where the live fire is burning tonight, and every one of those targets is a brand whose users are the victims.
Tier 2: The Infrastructure Board Says a Bigger Wave Is Loading
Underneath the live consumer fire, our precursor-signal system — the one that flagged staging patterns before several past waves — is lit up in a way we have only seen a handful of times. As of today, six signals are elevated at once. Cross-Index Threat Convergence is pegged at its maximum. Tor Infrastructure Mass Deployment is at 0.9. Infrastructure Activation Surge is at 0.9. C2 publication and raw IOC velocity are both up.
Here is what that means and — just as important — what it does not mean. It means adversary capacity is being built at scale right now: anonymization layers spinning up, command-and-control being published, indicators appearing faster than baseline. It is the same board shape that preceded the late-April wave when we watched hundreds of Tor relays stage before the drop. What it does not do is name a victim. These are infrastructure signals, not target signals. So we are telling you honestly: something is being built, the gauges that usually precede a wave are elevated together, and we cannot yet tell you where it lands. That uncertainty is the accurate report. Anyone who names the target from signals like these is guessing and calling it intelligence.
Tier 3: The Enterprises Are Exposed — But Not Yet Staged
This is the tier where we most want to be precise, because it is the one everyone gets wrong. Our healthcare watch cohort — the concentrated, high-value targets that sit on the exact attack surfaces ShinyHunters and its peers have been exploiting — is structurally exposed but not currently under active attack. We ran the brand-attack-path scan today. Across the cohort, the number of genuine credential-harvest lookalikes staged and waiting was zero.
That "zero" is a real result, and getting to it honestly required killing our own false positives. Our first pass flagged a couple of lookalike domains with login pages — until we followed the redirects and found they pointed straight into a legitimate corporate single-sign-on provider. They were a company's own login vanity domains, not attacker staging. We fixed the detection to recognize that, because a brand-protection tool that cannot tell a company's own SSO from a phishing page is worse than no tool. The only near-signals left in the cohort are a small number of mail-capable typosquat clusters sitting on shared parking hosts — the kind of thing an attacker registers early and activates later. Worth watching. Not yet weaponized.
The distinction matters because "exposed" and "under attack" call for different responses. Exposed means you have time to close the surface. Under attack means you are already behind. Confusing the two is how security teams either panic at shadows or sleep through the real thing.
The One-Line Weather Report
Consumers are getting phished right now at volume — Meta ad accounts, Apple IDs, digital identities, mail-tracking scams — on trusted free hosting. Enterprises, especially in healthcare, are sitting on the biggest structural exposure but are not yet being actively staged against. And the infrastructure board is elevated across six signals in the pattern that usually precedes a wave, with no named target yet. If you are a person, the fire is aimed at you today. If you are an enterprise, the smart use of this quiet is to close the surface before the cloud bank on the horizon decides where to rain. Ninety-five percent confidence on the reads above; the missing five percent is the target of the wave we can see forming but cannot yet name — which is exactly the part we will not pretend to know.
Every indicator in this post is in the feed. Free.
1.58M+ IOCs, STIX 2.1 / TAXII, 88% novel vs ThreatFox, exploited-CVE leads ahead of CISA. No credit card — a free API key in 30 seconds, and you can audit every claim above against the live endpoints.




Comments